Document Shredding Services in Staten Island, NY

shredding services Staten Island NY document destruction

The Gramm-Leach-Bliley Act (GLB Act, also known as GLBA) is the foundational federal privacy law for financial institutions in the United States. While many New York businesses focus on HIPAA and SHIELD Act compliance, the GLB Act’s Safeguards Rule and Privacy Rule impose equally demanding requirements on banks, credit unions, mortgage lenders, insurance companies, investment advisors, accounting firms, and a broad range of other financial service providers. GLB Act shredding requirements for New York financial institutions are particularly significant given New York’s role as the nation’s financial capital—nearly every major bank, insurance carrier, and investment management firm has a substantial New York presence subject to both federal GLB and state NYDFS oversight.

In 2023, the FTC substantially updated the GLB Safeguards Rule, imposing significantly stronger data security obligations on non-banking financial institutions. These updates include explicit requirements for data inventory, access controls, encryption, and secure disposal of customer information. For New York financial businesses that haven’t reviewed their shredding and disposal programs recently, an update is overdue. This guide explains what the GLB Act requires for document disposal, how the FTC’s updated Safeguards Rule changes things, and how New York financial institutions can build a compliant physical records destruction program.

What the GLB Act Covers and Who Is Subject to It

The GLB Act applies to “financial institutions”—a term that the FTC interprets broadly to include any company that is significantly engaged in providing financial products or services to consumers. This goes well beyond banks and investment firms:

  • Banks, credit unions, savings institutions, and mortgage companies
  • Securities broker-dealers, investment advisors, and financial planners
  • Insurance companies and insurance agents
  • Accountants and tax preparers who provide financial advice
  • Automobile dealers that arrange financing
  • Real estate settlement service providers and title insurance companies
  • Check cashing businesses, wire transfer services, and payday lenders
  • Credit counseling agencies and debt collectors

For all of these entities, the GLB Act’s Privacy Rule requires annual privacy notices to customers, and the Safeguards Rule requires a written information security program that includes physical security measures for customer information—including proper disposal. Our compliance page has more detail on how these frameworks interact.

The FTC Safeguards Rule Update and Physical Disposal Requirements

The FTC’s 2023 update to the GLB Safeguards Rule introduced more specific and prescriptive requirements than the original 2003 rule. For physical document disposal, the updated rule requires financial institutions to:

  1. Develop, implement, and maintain a comprehensive information security program that includes policies and procedures for the secure disposal of customer information in any format (paper or electronic)
  2. Conduct a written risk assessment that specifically identifies risks to customer information from improper disposal
  3. Implement appropriate safeguards to control the risks identified in the risk assessment, including physical disposal safeguards
  4. Oversee service providers (such as shredding vendors) by selecting vendors that can maintain appropriate safeguards and requiring contracts that include provisions for protecting customer information
  5. Designate a qualified individual responsible for overseeing the information security program, who must report to the board of directors annually

The updated rule also requires organizations with 5,000 or more customers’ records to conduct annual penetration testing and bi-annual vulnerability assessments—and the written information security program must specifically address disposal as a component of the overall security framework. Use our shredding process overview to understand how our services fit into your Safeguards Rule program.

NY Department of Financial Services Overlay: 23 NYCRR 500

New York-chartered banks, licensed lenders, insurance companies, and other NYDFS-regulated entities face an additional layer of document security requirements under the NYDFS Cybersecurity Regulation (23 NYCRR 500). While this regulation is primarily focused on digital security, its requirements for nonpublic information (NPI) extend to physical records that contain NPI.

Key 23 NYCRR 500 provisions relevant to document disposal include:

  • Section 500.13 requires covered entities to limit data retention and implement policies for the secure disposal of NPI that is no longer necessary for business operations or other legitimate business purposes
  • Section 500.15 requires encryption of NPI in transit and at rest; for physical documents, this translates to secure storage and chain-of-custody requirements until destruction
  • Section 500.02 requires a written Cybersecurity Policy that must address the destruction and disposal of NPI

New York financial institutions must therefore satisfy both the FTC Safeguards Rule and NYDFS 23 NYCRR 500 simultaneously. The practical overlap is significant, and a well-designed physical records destruction program can satisfy both frameworks. Contact New York Shredding to discuss how we work with NYDFS-regulated entities.

Customer Information: What Must Be Shredded

The GLB Safeguards Rule covers “customer information”—any record containing nonpublic personal information about a customer of a financial product or service. In practice, for a typical New York financial institution, this includes an enormous range of documents:

  • Loan applications, credit reports, and underwriting files
  • Account opening documents, signature cards, and KYC/AML files
  • Investment account statements, trade confirmations, and portfolio reports
  • Insurance applications, policy documents, and claims files
  • Tax forms (1099s, 1098s, K-1s) and financial planning documents
  • Customer correspondence containing financial information
  • Expired contracts and closed account files that contain personal financial information

When these documents reach the end of their retention period, they must be disposed of in a manner that protects against unauthorized access. Simply placing them in recycling is a Safeguards Rule violation. Our scheduled shredding service provides locked consoles, regular pickups, and Certificates of Destruction for every service visit.

Building a GLB-Compliant Shredding Program for New York Financial Institutions

A GLB-compliant shredding program for a New York financial institution includes these elements:

  1. Written disposal policy as part of your Information Security Program, specifying retention periods and destruction methods for each category of customer information
  2. NAID AAA Certified vendor with a written service agreement that addresses security responsibilities and incident reporting
  3. Locked shredding consoles in all areas where customer documents are handled—teller lines, loan processing, insurance underwriting, investment advising
  4. Certificate of Destruction for every service visit, retained as part of your compliance documentation
  5. Annual vendor review as part of your Safeguards Rule third-party service provider oversight requirement
  6. Employee training on the Safeguards Rule’s physical disposal requirements and how to use locked consoles

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top